skip to content »

Validating web pages

To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. All sections should be reviewed The most common web application security weakness is the failure to properly validate input from the client or environment.

Thus, "(555)123-1234", "555.123.1234", and "555\"; DROP TABLE USER;--123.1234" all convert to 5551231234.For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks.However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications.For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.Business rules are known during design, and they influence implementation.This is a dangerous strategy, because the set of possible bad data is potentially infinite.

Adopting this strategy means that you will have to maintain the list of "known bad" characters and patterns forever, and you will by definition have incomplete protection.

Data from the client should never be trusted for the client has every possibility to tamper with the data.

In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.

Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.

The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary. However, validation should be performed as per the function of the server executing the code.

There are four strategies for validating data, and they should be used in this order: This strategy is also known as "whitelist" or "positive" validation.